Skip to content

Instantly share code, notes, and snippets.

@petrenkorf

petrenkorf/self-signed-certificate-with-custom-ca.md

Forked from fntlnz/self-signed-certificate-with-custom-ca.md
Last active February 16, 2025 19:58
Show Gist options
  • Save petrenkorf/4b9468c7b742bb3f709505896d234682 to your computer and use it in GitHub Desktop.
Save petrenkorf/4b9468c7b742bb3f709505896d234682 to your computer and use it in GitHub Desktop.
Download ZIP
Self Signed Certificate with Custom Root CA
Raw
self-signed-certificate-with-custom-ca.md

First we need OpenSSL installed, I'm using version OpenSSL 3.0.13

Create the Root Certificate

The first step is create a root CA (Certified Authority). -- DESCRIBE WHY--

The following command will create a key used to sign it:

openssl genrsa -des3 -out rootCA.key 4096

The -des3 flag will force you to add a password to the file.

After creating the key, we are able to create the certificate and self sign it using the generated key:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Create the Certificate

Similar to the previous steps, we need to create a key for the certificate that we'll be creating. In this case we are creating a key for the domain workbench.local :

openssl genrsa -out workbench.local.key 2048

Now that we have the key, we have to create a certificate signing request (csr). -- DESCRIBE WHY AND HOW WE'LL USE IT LATER --

The important thing here is to create a CSR that contains SANs. SANs are used to specify domains and hosts (ips). This is required since some browsers (Chrome, I'm looking at you) do not consider secure to not have this field specified. At the same time, the command below won't ask you for SANs, though it generates the CSR:

openssl req -new -key workbench.local.key -out workbench.local.csr

In order to do that, we must create a config file and pass it as a parameter when we call openssl req. Let's create the config file for workbench.local domain, name this file workbench.local.req.cnf:

[ SAN ]
subjectAltName = DNS:workbench.local, DNS:www.workbench.local

Now we generate the CSR file using the following:

openssl req -new -key workbench.local.key -out workbench.local.csr -subj "/CN=workbench.local" -reqexts SAN -config ./workbench.local.req.cnf

If we check the CST generated, we see that we have a section X509v3 Subject Alternative Name containing the subject alternative names we specified in the file:

openssl req -in workbench.local.csr -noout -text

Now, we have to create a config file for the certificate, let's name this file as workbench.local.crt.conf :

[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext  # this is where we refer to the req_ext section

[ req_distinguished_name ]
countryName = BR
countryName_default = US
# Add other Distinguished Name fields here (Common Name, Organization, etc.)
commonName = workbench.local

[ req_ext ]
subjectAltName = @alt_names  # This references the SAN section

[ alt_names ]
DNS.1 = workbench.local
DNS.2 = *.workbench.local

This is required in order to use the -extensions req_ext flag on the next commando we'll run. And finally we can create the certificate:

openssl x509 -req -in workbench.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out workbench.local.crt -days 500 -sha256 -extensions req_ext -extfile workbench.local.crt.conf

and check its content

openssl x509 -in workbench.local.crt -text -noout

The output should contain a section X509v3 Subject Alternative Name: that also contains the domain workbench.local and www.workbench.local.

After that we can add our rootCA.crt to the browser, and starting using the .key and .crt files we generated to use https :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment